Multi-factor authentication (MFA) is becoming mainstream for logging in to personal and business accounts. From your computer, bank account, government websites, or installing apps on your smart TV, MFA provides multiple methods to prove your identity to gain access to the device, statement, website, or app. A major reason for this is that MFA is required for many business cybersecurity insurance policies. MFA is not infallible, but it is part of the multi-layer security model that blocks potential hackers from accessing your accounts. Since MFA is utilized regularly, hackers and bad actors have also had to change their techniques and are following along by using a tactic called an MFA fatigue attack.
What is an MFA fatigue attack?
MFA fatigue, sometimes called prompt bombing, or a push harassment attack is when the bad actors force multiple prompts on your MFA account, whether it’s Duo, Microsoft Authenticator, Google Authenticator, Authy, or others. The goal is for you to get annoyed of clicking “deny” repeatedly, wearing you down until you give up and click “approve.”
You might allow access to make the notification disappear and stop bugging you or because you think your computer is trying to re-authenticate. Once the attackers bypass the MFA, the most common next step is enrolling new devices for MFA. From there, they can either steal data or deploy their exploitation tools.
Learn from the Experts
Mandiant
Mandiant, a leader in threat intelligence, recently commented on the abuse of repeated MFA push notifications many end users are experiencing. They stated that threat actors take advantage of the convenient push notification or phone call offered on many MFA apps.
If the user isn’t paying attention to where the login attempt is coming from, the hacker will eventually gain access to the account. This allows the threat actor to log in with a valid username and password.
Wired
Wired magazine referred to a hacking gang member that explained their tactics when calling an employee until they unintentionally gave the hacker access. A member of the Lapsus$ hacking group revealed they would call the victim 100 times throughout the night, increasing the chances of the victim accepting the MFA notification so they can go back to sleep. Once the employee accepted the call, Lapsus$ accessed the MFA enrollment portal and registered another device so they could easily log in later.
The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, who said the hacking group could access the laptop of one of its employees.
What to do if you are under an MFA fatigue attack
The bad actors are relying on you growing weary of being prompted by authentication requests. Don’t give in! If you’re getting prompted by your MFA app to approve a login attempt, and you’re not trying to log in, that’s a huge red flag. This means your password to whichever system sends you the MFA prompt may have been compromised.
Besides not accepting, allowing, or approving the prompt, you should note what system is sending the notification and plan on changing that password. DO NOT do it at the same time you are being bombed. Either wait for it to subside, and they move on, or have the system's owner, support, or administrator change your password for you, so you don’t inadvertently allow them access when you log in to change your password.
Ways to fight it
CoreTech’s Duo MFA accounts use the default ten push limit before the account is locked and will need to be unlocked by your DUO admin or IT service provider. At CoreTech, we are evaluating similar settings with the Microsoft MFA policies to see how well they can be managed across our client base.
As is usually the case with all cybersecurity attacks such as MFA fatigue and phishing, user distrust and cybersecurity training are crucial and constitute the first line of defense.
Employees should never accept a push notification to identify themselves to access company programs if they didn’t request access at that moment or if it is coming from an unfamiliar location. So, when in doubt, it is best to contact and inform your IT support team and decline or disable the notifications unless you’re logging in.
In closing...
Organizations must stay one step ahead as bad actors continue to find new ways to thwart security measures. Training and common sense will go a long way to keep login accounts and the systems behind them secure.
Cybersecurity is one of the top priorities at CoreTech, as small businesses are targeted for attacks daily. While no business is immune to an attack, CoreTech’s IT security provides prevention to keep an attack from happening and protection on the accidental chance a breach does occur. Reach out to us if you’d like to learn more about our cybersecurity policies and how we can prep your staff for any cyberattack they come across.
